use vendor tarball v1, uploaded to blob store

microsoft · Jan 30, 2025 · 5918f96 · 5918f96
1 parent e7c3033
commit 5918f96
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 16 deletions.
diff --git a/...ication-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json b/...ication-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json
@@ -1,6 +1,6 @@
 {
   "Signatures": {
-    "application-gateway-kubernetes-ingress-1.7.2-vendor.tar.gz": "c7ed26c959d032de3be6b14717ea0703b3543df299c77aa1d553f11b13b88a0e",
+    "application-gateway-kubernetes-ingress-1.7.2-govendor-v1.tar.gz": "501be9b58865c93adc8f2c2c49d3fe8f57abbc5d97985c74f69024b434e5ae06",
     "application-gateway-kubernetes-ingress-1.7.2.tar.gz": "df1ca6b5a5c328521fea35d4fea5edc48e0214324986f263e2f7d960a8a6acd8"
   }
 }
diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
@@ -9,20 +9,10 @@ Distribution:   Azure Linux
 Group:          Applications/Networking
 URL:            https://github.com/Azure/application-gateway-kubernetes-ingress
 Source0:        https://github.com/Azure/application-gateway-kubernetes-ingress/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
-# Below is a manually created tarball, no download link.
-# We're using vendored Go modules from this tarball, since network is disabled during build time.
-# How to re-build this file:
-#   1. wget https://github.com/Azure/%%{name}/archive/refs/tags/%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz
-#   2. tar -xf %%{name}-%%{version}.tar.gz
-#   3. cd %%{name}-%%{version}
-#   4. go mod vendor
-#   5. tar  --sort=name \
-#           --mtime="2021-04-26 00:00Z" \
-#           --owner=0 --group=0 --numeric-owner \
-#           --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
-#           -cf %%{name}-%%{version}-%%{release}-vendor.tar.gz vendor
-#
-Source1:        %{name}-%{version}-vendor.tar.gz
+# Leverage the `generate_source_tarball.sh` to create the vendor sources
+# NOTE: govendor-v1 format is for inplace CVE updates so that we do not have to overwrite in the blob-store.
+# After fixing any possible CVE for the vendored source, we must bump v1 -> v2
+Source1:        %{name}-%{version}-govendor-v1.tar.gz
 Patch0:         CVE-2022-21698.patch
 
 BuildRequires:  golang >= 1.13

diff --git a/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh b/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
@@ -7,7 +7,7 @@ set -e
 
 PKG_VERSION=""
 SRC_TARBALL=""
-VENDOR_VERSION="2"
+VENDOR_VERSION="1"
 OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 # parameters: